Classification of packet contents for malware detection

Ahmed, Irfan & Lhee, Kyung-suk (2011) Classification of packet contents for malware detection. Journal in Computer Virology, 7(4), pp. 279-295.

View at publisher


Many existing schemes for malware detection are signature-based. Although they can effectively detect known malwares, they cannot detect variants of known malwares or new ones. Most network servers do not expect executable code in their in-bound network traffic, such as on-line shopping malls, Picasa, Youtube, Blogger, etc. Therefore, such network applications can be protected from malware infection by monitoring their ports to see if incoming packets contain any executable contents. This paper proposes a content-classification scheme that identifies executable content in incoming packets. The proposed scheme analyzes the packet payload in two steps. It first analyzes the packet payload to see if it contains multimedia-type data (such as . If not, then it classifies the payload either as text-type (such as or executable. Although in our experiments the proposed scheme shows a low rate of false negatives and positives (4.69% and 2.53%, respectively), the presence of inaccuracies still requires further inspection to efficiently detect the occurrence of malware. In this paper, we also propose simple statistical and combinatorial analysis to deal with false positives and negatives.

Impact and interest:

5 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

ID Code: 46712
Item Type: Journal Article
Refereed: Yes
Keywords: malware detection, content-classification scheme, executable content
DOI: 10.1007/s11416-011-0156-6
ISSN: 1772-9904
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)
Divisions: Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2011 Springer
Copyright Statement: The original publication is available at SpringerLink
Deposited On: 30 Oct 2011 23:06
Last Modified: 30 Oct 2011 23:37

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page